Breach Notification , Leadership & Executive Communication , Security Operations
ISMG Editors: What CISOs Can Learn From Ex-Uber CSO Verdict
Also: Keyless Auto Theft Arrests; Updates on Passwordless Tech From FIDO Conference Anna Delaney (annamadeline) • October 21, 2022In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the implications of the former Uber CSO's guilty verdict for the rest of the industry, the growing problem of keyless car theft, and the latest progress toward a passwordless future revealed at the annual FIDO Alliance conference.
See Also: 5 Requirements to Stay Afloat in the SIEM Storm
The panelists - Anna Delaney, director, productions; Michael Novinson, managing editor, business; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Tony Morbin, executive news editor - discuss:
- Lessons learned from the trial of former Uber CSO Joe Sullivan, who was found guilty of a criminal data breach cover-up over a security incident resulting in the exposure of records for approximately 57 million of the ride-hailing service's customers and 600,000 driver's license numbers;
- How police in three European countries arrested 31 individuals involved in the keyless theft of automobiles, including developers of the software that enabled the theft, its resellers and car thieves;
- Highlights from Authenticate 2022, a three-day FIDO Alliance conference in Seattle this week, including the latest updates on FIDO Passkeys, MFA bypass woes, biometrics and usability testing.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 7 edition discussing the plot to leak U.S. health records to Russia and the Oct. 14 edition assessing the proposed EU-U.S. data flow plan.
Anna Delaney: Hello, I'm Anna Delaney and welcome to the ISMG Editors' Panel - our weekly analysis of what's happening in the world of cybersecurity. Delighted this week to be joined by editors Mathew Schwartz, Tony Morbin, and Michael Novinson. Wonderful to be with you all.
Tony Morbin: Good to be with you.
Mathew Schwartz: Good to be back, Anna.
Delaney: Mathew, why don't you start us off? Bring us back to the real world. You have penned an excellent piece this week, which looks at the Joe Sullivan verdict and offers a guide to thesis on how to avoid jail. How do they do that?
Schwartz: Like every attorney one ever speaks to as a journalist by saying, I'm not offering legal advice when I share this analysis with you now. But certainly one of the most talked about cases, if you are anywhere close to cybersecurity will be the fact that Joe Sullivan, the former chief security officer of Uber, got charged with a criminal breach cover up. It wasn't clear what was going to happen with his case. But it did go to trial, which was a bit of a surprise. We'll get into that in a second. But he was found guilty on two counts by a federal jury in the case. He hasn't been sentenced yet. But this has got a lot of cybersecurity experts worried. Could I, despite my best efforts or intentions, end up like Joe? Could I go to jail because I didn't tell the right people about a breach at the right time? This has been a huge topic of discussion. I've spoken with some security experts about it as well, just trying to figure out if we can get some takeaways from this case. The big takeaway is: No. That's going to be the short answer here. Is this case applicable to anybody else? The answer is, unless your organization is being actively probed by the Federal Trade Commission, and you have been legally designated at the contact point, as the person who needs to make sworn testimony to the FTC, then it's unlikely you would ever find yourself in this situation. Unfortunately for Joe Sullivan, he did find himself in that situation. He's a former attorney. He's a former federal prosecutor, which may also be behind what looks like decision to throw a book at him. But what happened was there was a big breach, it affected 57 million of the users. As he investigated it, what Uber ended up doing was paying the two grey hat hackers, who alerted Uber to the breach, and they ended up paying them $50,000 each in bitcoins. These two pleaded guilty to extortion, and it makes it look like what they were doing was criminal, black and white. At the time, though, you can imagine if you are investigating this incident, and trying to lock it down, and you've got these two people, maybe gray hats, maybe a lot worse, saying, "Look, if you give us some money, we'll tell you what happened. We'll sign an NDA that says we didn't keep the data, we'll show you our systems, and that we didn't keep the data, we won't tell anybody else about it, and we'll make your problem go away." From that perspective, maybe the chief security officer was just trying to do the best job possible for helping users and ensuring that this didn't get out, causing greater damage. Again, unfortunately, for him, Uber was the focus of an FTC investigation into a prior breach. The FTC was looking at possibly fines, and also certain guarantees and assurances that it was going to be imposing on Uber to ensure that its security program was brought up to snuff. I think we're going to have to wait for Joe Sullivan's book to understand what he did and why. But if there's two takeaways here that I've been told by other cybersecurity experts who've looked at this case, it is that one, you should have playbooks for this sort of thing. Sullivan wasn't going this alone, and he was communicating with other people inside the organization. None of them got charged. But possibly working against him was the fact that he was an attorney. It's possible that he wasn't liaising with the general counsel as much as he might have been, if you were a chief security officer, who didn't have a legal degree who hadn't been a federal prosecutor in a past life. What people were telling me was, have playbooks, know who does what and when, practice these in advance. This brings everybody together. This is your standard incident response playbook. You should be practicing these with tabletop exercises, you discover a breach, for example, what happens next? Who do you inform? Is it the insurance company because they will bring incident responders to bear is it your legal team, so they can get advice, possibly do things involving privileged communications about how you respond. The CEO is going to need to know, maybe the chief financial officer needs to know because you're a public company, and they want to make sure that anybody involved is not buying or selling stock while this is happening. Maybe there's an external legal team, maybe there's an external incident response team, etc. Settle this out in advance so nobody is doing anything that might be construed as going alone or acting inappropriately. That's one big thing. Another thing is with these, no playbook would account for everything. There's no playbook that Sullivan could have used to have dealt with this. But one attorney told me that you want to also give it a mission statement. The CEO needs to imbue this playbook with certain values, mission statement, and transparency, for example, often better, to err on the side of transparency might cause some short-term pain. But in the long term, if you've told the FTC anyway, you're probably going to be getting some brownie points, and it's probably going to work out better for you. That's the big thing, transparency and playbooks. Maybe there's more than two, but also this clarity, knowing who you should be speaking with, and do it all in writing, as well. If you talk to legal, legal gives you an opinion. Document it all so that if something does go wrong, you can show to outside parties, regulators, for example, board of directors, if they do an investigation, which is what happened at Uber. You can show them what you did, and why. Hopefully, with the best of intentions.
Delaney: That was a great overview. As you say, for the majority of season probably won't be in the same situation. It's certainly getting the community talking and reflecting, scrutinizing playbooks. Even last night, I was moderating a roundtable this came up and I asked attendees how confident they are in assessing vulnerabilities in their environments. And one of the attendees said, if you asked me a couple of weeks ago, I'd be very comfortable but post Joe Sullivan case, not so much.
Schwartz: It's so tricky as well, because you are making value judgments all the time about what you're focusing on and is a breach reportable? You do get legal advice on that. What happens if you don't like the legal advice? Possibly CISOs are going to be a little more ready to say, "I'm leaving then" or maybe turn whistleblower. This is showing the downsides that can happen when things go wrong. I don't think they often do go wrong in this manner. But when they do, it can be pretty catastrophic. He's facing jail time.
Delaney: I think we'll be talking about this case for a while. Tony, there has been a rise in the keyless theft of automobiles, and some arrests even in Europe. Break the story down for us.
Morbin: It's just another connected devices story, but it's a further development. Now, the concern that our physical world could be hacked through connection to information technology has been around for as long as such connections have existed. In fiction, that tended to focus on the dramatic, such as the takeover of the launch of nuclear weapons, including kids in the 1983 film WarGames. Reality wasn't so far behind with the Stuxnet worm disabling an Iranian nuclear power station back in 2010. But for the average consumer, it was the idea that someone could take over their car while they were driving. Sure enough, in 2015, two researchers Charlie Miller and Chris Valasek did just that, which ended up leading to the recall of 1.4 million Jeep vehicles. But however terrifying such a prospect remains, it's not what cybercriminals are targeting. Quite simply, they want to steal what is probably your most valuable asset apart from your house. Unfortunately for them, it's an asset that we often leave out on the street unattended. Previously, we used to use physical locks and keys to secure them. But now we often use electronics with keyless entry. Now common way to execute keyless auto theft is an attack, which involves intercepting a car's scan for the signal from a fob with authorization to start the engine. But this week, saw a more sophisticated version. When your opponent notes that 31 suspect members of a car hacking and jacking gang had been arrested across France, Spain and Latvia. They leveraged a hacking tool to steal cars without having to use a physical key fob. Europol said that the criminals specifically targeted vehicles with keyless entry and start systems and exploiting the technology to get into the car and drive them away. It's reported that the thieves use software marketed online as a diagnostic tool to replace the original software of the vehicles allowing the doors to be opened and the mission to be started without the actual key fob. The exact method is still being investigated, but based on publicly available data, it looks like the thieves found a vulnerability in the electronic control unit governing the authorization of new key fobs. Either they found a way to skip the check that a new fob was properly authorized, or they simply reprogrammed the entire electronic control unit. Now that would be very concerning as an ECU made by a single company can feed the supply chain of more than one auto manufacturer. Potentially impacting many thousands of vehicles or tens of thousands of vehicles. Now, even though fixes will be implemented, most of us are driving vehicles designed about a decade ago. It's certainly a problem that's not going to go away. In fact, there are predictions that the automotive cybersecurity market is going to be worth $5.3 billion by 2026. Auto cybersecurity absolutely is now firmly part of our industry.
Delaney: Do we have any indication as to how the police track these criminals down?
Morbin: I'm afraid not. It was Europol working in concert with the law enforcement authorities in France, Spain and Latvia. But I'm afraid I don't know exactly how they've done it. I do know that the industry is working collaboratively to look at ways that they can develop new defenses. NTT Communications Corporation and DENSO did jointly develop the security operations center for vehicles to respond specifically to sophisticated cyberthreats against vehicles. I'm sure we're going to see many more initiatives like that. If I have to be honest, it's not just vehicles. I don't know if you've seen this week that Ukrainians attaching a machine gun to a drone and plans to attach flame throwers. Any kind of vehicle that can be hacked is going to be.
Schwartz: I have to tell you what's going on in this picture here. Is that a shout of glee as somebody unlocks extremely valuable automobile?
Morbin: It is indeed. There's a Tesla in the background and he's got the keyless device around his neck. It's a pack thing. That is apparently somebody very proudly cheering that they've just broken into a car.
Schwartz: They have a new Tesla.
Delaney: Yes. Thank you, Tony. Michael, you are live from the FIDO Alliance's Authenticate 2022 conference. How's it going? What are the key trends that everybody's talking about?
Michael Novinson: I am indeed in Seattle, Washington, for the Authenticate 2022 conference from FIDO Alliance. Bigger event this year than last year. Nearly 500 people here in person in Seattle, as well as many, many others attending virtually. A big theme of this show, I would have to say is that not all multifactor authentication is created equal. We've seen over the past attack had a huge push from government and from industry to get people away from that single factor and add a second factor. And there wasn't much focus on the details just if you do 2FA or if you do MFA, you're secure. The events we've seen transpire over recent months with MFA bypass has had to bring into focus the differences between different types of second factors. In particular, a lot of the dialogue at the conference has focused on the danger of OTP or one time passwords. Now I'm sure this is a mechanism many of us have used where we enter in a traditional username and password to a website. Then the site often via SMS sends outside, often a six digit numeric code texted to us. Then we're drafted to input the six digit code we received on our mobile phone into the site in order to complete our authentication process. The message out of this show has been that that's not a secure way to go about doing things. Because lots of people have confined your mobile phone number, their databases where that's readily accessible, and it's so easy for a bad actor to impersonate one of those OTP messages, especially since they often contain little other than just a six digit codes and, say who it's from, or what it's to be used for, and oftentimes doesn't even expire after a certain amount of time. It's very easy for bad actors to just impersonate that and then create a lookalike dummy page where you throw that credential into and now they have the keys to the kingdom. There's not a huge focus at the show and the idea of phishing resistant multifactor authentication. Now, with this being our FIDO Alliance conference, people have embraced the FIDO standard, there is a big breakthrough in May, when the three major browser makers and the three major OS companies that being Google, Microsoft, and Apple - all agreed to champion the FIDO standard. And in particular, there's been a focus on the FIDO passkey, which is a term that all parties have agreed to use here to describe how FIDO's technology can be used to log of people in and the idea being that it's not as a code that's sent to you via text. But essentially, that second factor is something that FIDO already has either stored on a physical device or more often stored in the cloud. And that could be a biometric or can be some other type of code. But essentially that retailers and others or OS makers can just chuck a user against that FIDO passkey. That can provide that second level of verification that somebody is who they say they are, without them having to enter an alphanumeric code that bad actor could have passed along to them.
Delaney: I would presume at FIDO's conference, they're already preaching to the already converted. Did you get an indication as to when this technology, phishing resistant MFA will become more mainstream? And what do we need to overcome to get there?
Novinson: It's a good question. I think that's the primary question at this point is that a lot of the people I've spoken with thought that technology is there today. It is a matter of the big DLS makers who agreed to NATO adopt a standard to build it out more broadly across their environment. And I'd have to speak to a senior director over at Google who was saying that there is a lot of focus on rolling out FIDO passkeys first internally, and then as we get into 2023, to their customer base and figuring out what some of the common objections customers might have, some of this areas where they might stumble with implementation. But 2023 appears to be the year where the rubber is going to hit the road with this FIDO passkey. The idea being if you have the buy-in of the three major OS and browser device makers, then it makes it much easier. That establishes its credibility, and it makes it much easier to have other retailers and other third parties adopt the standard as well. FIDO's got friends in some powerful places. Jen Easterly delivered a pre-recorded video keynote to the show on Monday. She along with Bob Lord from the system, the U.S. were both championing the FIDO standard. There's a lot of momentum behind this being a vendor-neutral, broader industry standard that folks can use that can eventually eliminate the need for passwords, even in scenarios where, for instance, somebody got a new device, they bricked their phone, or their phone stopped working, and they're using a new device. The first time that they wouldn't even in that scenario need to enter a password for their initial login, that they could simply still go into that FIDO repository to authenticate a user to a brand new device. FIDO Alliance has been pretty open that their goal is to kill the password and the passkey does seem like a major step forward and being able to do that.
Delaney:That's a great goal. I implore anybody watching this to check out Michael's regular posts from the event. It's been very informative, and we'll share the highlights. Thanks, Michael. As always, this has been a pleasure to be with you. Thank you for watching. Until next time.